Codebase list massdns / bfff544
New upstream version 3.4+git20200406 Sophie Brun 4 years ago
8 changed file(s) with 95 addition(s) and 87 deletion(s). Raw diff Collapse all Expand all
+37
-54
README.md less more
1616 - SSH private key authentication (`-b sshkey`)
1717 - VNC key authentication (`-b vpn`)
1818
19
2019 ### Installation
2120
22 Install all the dependencies:
23
24 ```
25 # apt-get -y install openvpn freerdp-x11 vncviewer
21 **Kali Linux users can do**
22
23 ```
24 # sudo apt install -y crowbar
25 ```
26
27 Else if you wish to install from source, install all the dependencies:
28
29 **Debain 9/10+ & Kali Rolling**
30
31 ```
32 # apt install -y nmap openvpn freerdp2-x11 tigervnc-viewer
33 ```
34
35 **Debain 7/8 & Kali 1/2**
36
37 ```
38 # apt-get install -y nmap openvpn freerdp-x11 vncviewer
2639 ```
2740
2841 Then get latest version from GitHub:
3346
3447 Note: The RDP client package depends on your OS:
3548
49 + Debain 9/10 & Kali Rolling uses `freerdp2-x11`
3650 + Debian 7/8 & Kali 1/2 uses `freerdp-x11` package.
3751 + Else you can try `xfreerdp`.
38 + Else you may need to compile & tweak `freerdp` by following: http://opentechnotes.blogspot.co.uk/2015/02/compile-headless-freerdp-credential-checking.html
39
40 _Don't forget to edit the script to point to the new binary_!
52 + The fall back method would be to compile & tweak `freerdp` by following: http://opentechnotes.blogspot.co.uk/2015/02/compile-headless-freerdp-credential-checking.html
53
54 _Don't forget to patch `./lib/main.py` to point to the new binary_!
4155
4256 ### Usage
4357
95109 2015-03-28 11:04:00 RDP-SUCCESS : 10.68.35.150:3389 - "gokhan alkan@DOMAIN":Aa123456,
96110 ```
97111
98
99
100112 #### Brute Forcing Remote Desktop Protocol (RDP)
101113
102114 Below are a few examples of attacking RDP using Crowbar.
103115
104
105
106116 RDP brute forcing a single IP address using a single username and a single password:
107117
108118 ```
111121
112122 ![](https://raw.githubusercontent.com/galkan/crowbar/master/images/crowbar-rdp.jpg)
113123
114
115 - - -
116
124 - - -
117125
118126 RDP brute forcing a single IP address using username list file and a single password:
119127
120128 ```
121 # ./crowbar.py -b rdp -s 192.168.2.211/32 -U /root/Desktop/userlist -c passw0rd
129 # ./crowbar.py -b rdp -s 192.168.2.211/32 -U ~/Desktop/userlist -c passw0rd
122130 ```
123131
124132 ![](https://raw.githubusercontent.com/galkan/crowbar/master/images/crowvar-rdp-dosya.jpg)
125133
126
127 - - -
128
134 - - -
129135
130136 RDP brute forcing a single IP address using a single username and a password list:
131137
132138 ```
133 # ./crowbar.py -b rdp -s 192.168.2.250/32 -u localuser -C /root/Desktop/passlist
139 # ./crowbar.py -b rdp -s 192.168.2.250/32 -u localuser -C ~/Desktop/passlist
134140 ```
135141
136142 ![](https://raw.githubusercontent.com/galkan/crowbar/master/images/crowvar-rdp-dosya2.jpg)
137143
138
139 - - -
140
144 - - -
141145
142146 RDP brute forcing a subnet using a username list and a password list in discovery mode:
143147
144148 ```
145 # ./crowbar.py -b rdp -s 192.168.2.0/24 -U /root/Desktop/userlist -C /root/Desktop/passlist -d
149 # ./crowbar.py -b rdp -s 192.168.2.0/24 -U ~/Desktop/userlist -C ~/Desktop/passlist -d
146150 ```
147151
148152 ![](https://raw.githubusercontent.com/galkan/crowbar/master/images/crowvar-rdp-kadi-parola-dosya.jpg)
149153
150
151 - - -
152
154 - - -
153155
154156 #### Brute Forcing SSH Private Keys
155157
156158 Below are a few examples which you have using Crowbar.
157159
158
159
160160 SSH key brute force attempt to a single IP address using a single username and a single private SSH key:
161161
162162 ```
163 # ./crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k /root/.ssh/id_rsa
163 # ./crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k ~/.ssh/id_rsa
164164 ```
165165
166166 ![](https://raw.githubusercontent.com/galkan/crowbar/master/images/crowbar-ssh1.jpg)
167167
168
169 - - -
170
168 - - -
171169
172170 SSH key brute force attempt to a single IP address using a single username and all the SSH keys in a folder:
173171
174172 ```
175 # ./crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k /root/.ssh/
173 # ./crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k ~/.ssh/
176174 ```
177175
178176 ![](https://raw.githubusercontent.com/galkan/crowbar/master/images/crowbar-ssh2.jpg)
179177
180
181 - - -
182
178 - - -
183179
184180 SSH key brute force attempt to a subnet using a single username and all the SSH keys in a folder in discovery mode:
185181
186182 ```
187 # ./crowbar.py -b sshkey -s 192.168.2.0/24 -u root -k /root/.ssh/ -d
183 # ./crowbar.py -b sshkey -s 192.168.2.0/24 -u root -k ~/.ssh/ -d
188184 ```
189185
190186 ![](https://raw.githubusercontent.com/galkan/crowbar/master/images/crowbar-ssh3.jpg)
191187
192
193
194188 #### Brute Forcing VNC
195189
196190 Below is an example of attacking a VNC service using Crowbar.
197191
198
199
200192 VNC brute force attempt to a single IP address using a password file with specified port number:
201193
202194 ```
203 # ./crowbar.py -b vnckey -s 192.168.2.105/32 -p 5902 -k /root/.vnc/passwd
195 # ./crowbar.py -b vnckey -s 192.168.2.105/32 -p 5902 -k ~/.vnc/passwd
204196 ```
205197
206198 ![](https://raw.githubusercontent.com/galkan/crowbar/master/images/crowbar-vnc.jpg)
207199
208
209
210200 ### Brute Forcing OpenVPN
211201
212202 Below is an example of attacking OpenVPN using Crowbar.
213203
214
215
216204 OpenVPN brute force attempt to a single IP address using a configuration file, a certificate file, a single username and a single password with specified port number:
217205
218206 ```
219 # ./crowbar.py -b openvpn -s 198.7.62.204/32 -p 443 -m /root/Desktop/vpnbook.ovpn -k /root/Desktop/vpnbook_ca.crt -u vpnbook -c cr2hudaF
207 # ./crowbar.py -b openvpn -s 198.7.62.204/32 -p 443 -m ~/Desktop/vpnbook.ovpn -k ~/Desktop/vpnbook_ca.crt -u vpnbook -c cr2hudaF
220208 ```
221209
222210 ![](https://raw.githubusercontent.com/galkan/crowbar/master/images/crowbar-vpn.jpg)
223211
224
225
226212 - - -
227213
228214 ### Logs & Output
229215
230216 Once you have executed Crowbar, it generates 2 files for logging and result that are located in your current directory. Default log file name is `crowbar.log` which stores all brute force attempts while execution. If you don't want use default log file, you should use `-l log_path`. The second file is `crowbar.out` which stores successful attempts while execution. If you don't want use default output file, you should use `-o output_path`. After that you can observe Crowbar operations.
231
232217
233218 - - -
234219
236221
237222 - Bahtiyar Bircan
238223 - Ertuğrul Başaranoğlu
239 - G0tmi1k
240
241
224 - [g0tmi1k](https://twitter.com/g0tmi1k)
242225
243226 - - -
244227
+7
-7
crowbar.py less more
0 #!/usr/bin/env python2
0 #!/usr/bin/env python3
11
22 try:
33 from lib.main import Main
44 from lib.core.exceptions import CrowbarExceptions
5 except Exception, err:
6 import sys
7 print >> sys.stderr, err
8 sys.exit(1)
5 except Exception as err:
6 import sys
7 print(err, file=sys.stderr)
8 sys.exit(1)
99
1010 ##
1111 ### Main
1616 try:
1717 crowbar = Main()
1818 crowbar.run(crowbar.args.brute)
19 except Exception, err:
19 except Exception as err:
2020 import sys
21 print >> sys.stderr, err
21 print(err, file=sys.stderr)
2222 sys.exit(1)
+6
-5
lib/core/iprange.py less more
22 import sys
33 import socket
44 import struct
5 from functools import reduce
56 from lib.core.exceptions import CrowbarExceptions
6 except Exceptions, err:
7 except Exception as err:
78 from lib.core.exceptions import CrowbarExceptions
89
910 raise CrowbarExceptions(str(err))
2223
2324 def ipaddr_to_binary(self, ipaddr):
2425 q = ipaddr.split('.')
25 return reduce(lambda a, b: long(a) * 256 + long(b), q)
26 return reduce(lambda a, b: int(a) * 256 + int(b), q)
2627
2728 def binary_to_ipaddr(self, ipbinary):
2829 return socket.inet_ntoa(struct.pack('!I', ipbinary))
6566 b = b + 1
6667
6768 def cidr_iprange(self, ipaddr, cidrmask):
68 mask = (long(2) ** long(32 - long(cidrmask))) - 1
69 mask = (int(2) ** int(32 - int(cidrmask))) - 1
6970 b = self.ipaddr_to_binary(ipaddr)
7071 e = self.ipaddr_to_binary(ipaddr)
71 b = long(b & ~mask)
72 e = long(e | mask)
72 b = int(b & ~mask)
73 e = int(e | mask)
7374 while (b <= e):
7475 yield self.binary_to_ipaddr(b)
7576 b = b + 1
+1
-1
lib/core/logger.py less more
11 import logging
22 import os.path
33 from lib.core.exceptions import CrowbarExceptions
4 except Exception, err:
4 except Exception as err:
55 from lib.core.exceptions import CrowbarExceptions
66
77 raise CrowbarExceptions(str(err))
+2
-2
lib/core/threadpool.py less more
00 try:
11 import sys
2 from Queue import Queue
2 from queue import Queue
33 from threading import Thread
44 from lib.core.exceptions import CrowbarExceptions
5 except Exception, err:
5 except Exception as err:
66 from lib.core.exceptions import CrowbarExceptions
77
88 raise CrowbarExceptions(str(err))
+26
-11
lib/main.py less more
1313 from lib.core.threadpool import ThreadPool
1414 from lib.core.exceptions import CrowbarExceptions
1515 from lib.core.iprange import IpRange, InvalidIPAddress
16 except Exception, err:
16 except Exception as err:
1717 from lib.core.exceptions import CrowbarExceptions
1818
1919 raise CrowbarExceptions(str(err))
2020
21 __version__ = '0.3.5-dev'
21 __version__ = '0.3.6-dev'
2222 __banner__ = 'Crowbar v%s' % (__version__)
2323
2424 class AddressAction(argparse.Action):
9595
9696 self.xfreerdp_path = "/usr/bin/xfreerdp"
9797 self.rdp_success = "Authentication only, exit status 0"
98 self.rdp_success_ins_priv = "insufficient access privileges"
99 self.rdp_success_account_locked = "alert internal error"
98100 self.rdp_display_error = "Please check that the \$DISPLAY environment variable is properly set."
99101
100102 self.vncviewer_path = "/usr/bin/vncviewer"
130132
131133 try:
132134 self.args = parser.parse_args()
133 except Exception, err:
135 except Exception as err:
134136 raise CrowbarExceptions(str(err))
135137
136138 self.ip_list = []
213215
214216 try:
215217 pool = ThreadPool(int(self.args.thread))
216 except Exception, err:
218 except Exception as err:
217219 raise CrowbarExceptions(str(err))
218220
219221 for config_line in open(self.args.config, "r"):
309311
310312 try:
311313 pool = ThreadPool(int(self.args.thread))
312 except Exception, err:
314 except Exception as err:
313315 raise CrowbarExceptions(str(err))
314316
315317 for ip in self.ip_list:
321323 def rdplogin(self, ip, user, password, port):
322324 rdp_cmd = "%s /v:%s /port:%s /u:%s /p:%s /cert-ignore +auth-only" % (
323325 self.xfreerdp_path, ip, port, user, password)
326
324327 if self.args.verbose == 2:
325328 self.logger.output_file("CMD: %s" % rdp_cmd)
326329 proc = subprocess.Popen(shlex.split(rdp_cmd), shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
336339 self.logger.output_file(result)
337340 Main.is_success = 1
338341 break
342 elif re.search(self.rdp_success_ins_priv, line):
343 result = bcolors.OKGREEN + "RDP-SUCCESS (INSUFFICIENT PRIVILEGES) : " + bcolors.ENDC + bcolors.OKBLUE + ip + ":" + str(
344 port) + " - " + user + ":" + password + bcolors.ENDC
345 self.logger.output_file(result)
346 Main.is_success = 1
347 break
348 elif re.search(self.rdp_success_account_locked, line):
349 result = bcolors.OKGREEN + "RDP-SUCCESS (ACCOUNT_LOCKED_OR_PASSWORD_EXPIRED) : " + bcolors.ENDC + bcolors.OKBLUE + ip + ":" + str(
350 port) + " - " + user + ":" + password + bcolors.ENDC
351 self.logger.output_file(result)
352 Main.is_success = 1
353 break
339354 elif re.search(self.rdp_display_error, line):
340355 mess = "Please check \$DISPLAY is properly set. See README.md %s" % self.crowbar_readme
341356 raise CrowbarExceptions(mess)
357372
358373 try:
359374 pool = ThreadPool(int(self.args.thread))
360 except Exception, err:
375 except Exception as err:
361376 raise CrowbarExceptions(str(err))
362377
363378 for ip in self.ip_list:
434449
435450 try:
436451 pool = ThreadPool(self.args.thread)
437 except Exception, err:
452 except Exception as err:
438453 raise CrowbarExceptions(str(err))
439454
440455 if not os.path.exists(self.args.key_file):
457472 for dirname, dirnames, filenames in os.walk(self.args.key_file):
458473 for keyfile in filenames:
459474 keyfile_path = self.args.key_file + "/" + keyfile
460 if keyfile.endswith('.pub', 4):
461 self.logger.output_file("LOG-SSH: Skipping Public Key - %s" % keyfile_path)
462 continue
463 pool.add_task(self.sshlogin, ip, port, user, keyfile_path, self.args.timeout)
475 if keyfile.endswith('.pub', 4):
476 self.logger.output_file("LOG-SSH: Skipping Public Key - %s" % keyfile_path)
477 continue
478 pool.add_task(self.sshlogin, ip, port, user, keyfile_path, self.args.timeout)
464479 else:
465480 pool.add_task(self.sshlogin, ip, port, user, self.args.key_file, self.args.timeout)
466481 else:
+14
-7
lib/nmap.py less more
44 import tempfile
55 import subprocess
66 from lib.core.exceptions import CrowbarExceptions
7 except Exception, err:
7 except Exception as err:
88 from lib.core.exceptions import CrowbarExceptions
99
1010 raise CrowbarExceptions(str(err))
1919 import nmap
2020 self.lib = False
2121 except ImportError:
22 mess = "Please install the python-nmap module (pip install nmap)!"
22 mess = "Please install the python3-nmap module (pip3 install nmap)!"
2323 raise CrowbarExceptions(mess)
2424 except:
2525 mess = "File: %s doesn't exists!" % self.nmap_path
3333 tmpfile = tempfile.NamedTemporaryFile(mode='w+t')
3434 tmpfile_name = tmpfile.name
3535
36 if os.geteuid() != 0:
37 nmap_scan_type = "-sT"
38 else:
39 nmap_scan_type = "-sS"
40
41 nmap_scan_option = "-n -Pn -T4 %s --open -p %s --host-timeout=10m --max-rtt-timeout=600ms --initial-rtt-timeout=300ms --min-rtt-timeout=300ms --max-retries=2 --min-rate=150 -oG %s" % (
42 nmap_scan_type, port, tmpfile_name)
43
3644 if self.lib:
37 nmap_scan_option = "-n -Pn -T4 -sS %s --open -p %s --host-timeout=10m --max-rtt-timeout=600ms --initial-rtt-timeout=300ms --min-rtt-timeout=300ms --max-retries=2 --min-rate=150 -oG %s" % (
38 ip_list, port, tmpfile_name)
45 nmap_scan_option = "%s %s" % (
46 ip_list, nmap_scan_option)
3947 run_nmap = "%s %s" % (self.nmap_path, nmap_scan_option)
4048 proc = subprocess.Popen([run_nmap], shell=True, stdout=subprocess.PIPE, )
4149 stdout_value = str(proc.communicate())
4250 else:
4351 nm = nmap.PortScanner()
4452 nm.scan(hosts=ip_list,
45 arguments="-n -Pn -T4 -sS --open -p %s --host-timeout=10m --max-rtt-timeout=600ms --initial-rtt-timeout=300ms --min-rtt-timeout=300ms --max-retries=2 --min-rate=150 -oG %s" % (
46 port, tmpfile_name))
53 arguments=nmap_scan_option)
4754
4855 try:
4956 for line in open(tmpfile_name, "r"):
5158 ip = line[:-1].split(" ")[1]
5259 result.append(ip)
5360 return result
54 except Exception, err:
61 except Exception as err:
5562 raise CrowbarExceptions(str(err))
+2
-0
requirements.txt less more
0 paramiko==2.7.1
1 nmap==0.0.1